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Introduction 


The ICO introduced the Sandbox service to support organisations who are developing products and/or services that use 
personal data in innovative and safe ways and where such products and/or services deliver a potential public benefit. 


In order to develop the Sandbox, the ICO initially launched the Sandbox as a beta phase, for an initial group of participant 
organisations during 2019 - 2020. 


The beta phase provides a free, professional, fully functioning service for ten organisations, of varying types and sizes, 
across a number of sectors. 


Organisations who were selected for participation in the Sandbox beta phase have had the opportunity to engage with us; 

draw upon our expertise and receive our advice on mitigating risks and implementing ‘data protection by design’ into their 
product or service, whilst ensuring that appropriate protections and safeguards are in place. Jisc was one of the candidates 
who were selected for participation in the Sandbox beta phase. 


During their involvement in the Sandbox, Jisc developed a Wellbeing Code of Practice for universities and colleges who wish 
to investigate the use and analysis of student activity data in order to improve the institution's provision of student support 
services. The ultimate aim is to help the institutions support the mental, emotional and physical wellbeing of the students, 
whilst also ensuring that their privacy rights are maintained and protected. It should be noted that the Wellbeing Code of 
Practice does not carry the status of an official ICO statutory Code of Practice, and it should not be viewed as such; rather 
this is just a common term used in the education sector. 


A scoping meeting was held between representatives from Jisc and the ICO Sandbox team in Bristol on 18 July 2019. 


Following on from the meeting, objectives for Jisc's Sandbox participation were agreed and the Sandbox plan was approved 
and signed off on 12 September 2019. This report outlines in section 4 how those objectives have been met by Jisc, as it 
prepares to exit the Sandbox. 
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2. Executive summary 


2.1.  Jisc's Sandbox plan objectives were agreed as follows: 


e Objective 1: Jisc will, with informal steers from ICO Sandbox where appropriate, identify what personal data could be 
used by the universities or colleges in the analytics. 


e Objective 2: Jisc will seek to evidence the necessity of their Wellbeing Code of Practice by providing 
evidence/research on the HE Sector mental health crisis and explaining how their analytics will help to avert the crisis. 


e Objective 3: Jisc will ensure that key data protection challenges including, but not limited to, how to identify a lawful 
basis what should be included in privacy notices when initial data is collected, what to do if under 18's data may form 
part of the analytics and how and when to conduct a Data Protection Impact Assessment are addressed by the 
Wellbeing Code of Practice. 


2.2. Through meetings and workshops the ICO provided support on the development of Jisc's Wellbeing Code of Practice and 
provided informal steers on the tools that form the annexes to the Wellbeing Code of Practice. 


2.3. The first tool incorporated in the Wellbeing Code of Practice is the Purpose compatibility matrix, which provides a structure 
for the university to list the data they want to use in their data analytics, and to assess whether to use the data for analytics 
would, in accordance with Article 89(1) GDPR, not be considered to be incompatible with the initial purposes it was 
collected. 


2.4. The second tool in the Wellbeing Code of Practice is a tailored DPIA template that provides targeted guidance on the risks 
that the universities need to consider and assess prior to commencing data analytics for this purpose, along with 
suggestions around how the identified risks could be mitigated. 
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Product/service description 


Jisc are the UK higher, further education and skills sectors’ not-for-profit organisation for digital services and solutions, 
offering expert and trusted advice on digital technology for education and research. 


During their involvement in the Sandbox, Jisc have developed a Wellbeing Code of Practice for universities and colleges who 
wish to investigate the use and analysis of student activity data in order to improve the institution's provision of student 
support services. The ultimate aim is to help the institutions support the mental, emotional and physical wellbeing of the 
students, whilst also ensuring that rights around their privacy are maintained and protected. 


Taking part in the ICO Sandbox was intended to enable Jisc to draw on the ICO's expertise and advice on data protection by 
design, ensuring that the code represents good practice. 


Jisc already has a separate learning analytics code of practice (which was not addressed as part of the sandbox), which 
provides an ethical approach to using student data to improve learning. The objective of Jisc's participation in the Sandbox 
was to extend this concept (but to approach it from a more a comprehensive data protection compliance perspective), to the 
area of student support and wellbeing, particularly to address current issues pertaining to student mental health problems. 
Due to the intrusive and potentially high risk nature of this processing, it was recognised that a fine balance would need to 
be struck between ensuring compliance with data protection legislation, whilst also enabling the Wellbeing Code of Practice 
to offer sufficient benefit to the educational institutions who would be relying on it. 


In addition to this work, there are a number of Universities that are already considering using data analytics to identify 
where wellbeing support may be required for a student. Jisc would like its Wellbeing Code of Practice to build on the existing 
thinking and initiatives which are already ongoing in the sector, and to help inform universities how to approach such 
analytics which they hope to carry out on student data. 


Page 5 of 13 


ico. 


Information Commissioner's Office 


4. Key data protection considerations 


Jisc’s involvement in the Sandbox, as defined by its Sandbox plan, centred around 3 key objectives. The below sections 
outline each of these objectives, and how they were addressed during Jisc’s participation in the Sandbox. 


4.1. Objective 1: Jisc will, with informal steers from ICO Sandbox where appropriate, identify what 
personal data could be used by the universities or colleges in the analytics. 


The specific tasks which Jisc agreed to carry out during the Sandbox, in order to achieve this objective were as follows: 


e jJisc to work with universities (possibly those conducting live pilots) to establish and identify what data they hold that 
could inform and be used as part of the analytics activity. 

e Assess the legality, in relation to compliance with GDPR, of using data obtained from third parties, for analytics 
purposes, which may be incompatible with the reason for which they were initially collected by the third party. 

e jJisc to identify, for each data set, whether it would be consistent with student expectations to use such data sets for 
the purposes of analytics. 

e Whether the use of data for the analytics would be consistent with the purpose limitation principle of the GDPR or if 
any exemptions would apply. 


During the scoping meeting held on 18 July 2019, one of the first items discussed was what information would be used for 
the analytics and how the universities would be able to demonstrate that in respect of each piece of data collected, such 
collection and processing was both necessary and lawful (within the meaning of the GDPR Article 5 principles, Article 6 and 
accompanying ICO guidance). 


This resulted in the ICO encouraging Jisc to collate a list of all the data sources that were mentioned as being possibly 
relevant to wellbeing and mental health analytics. These would differ from university to university but might include, for 
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example, data held by Student Loan providers (such as delays in payment), information from accommodation providers, 
family background etc. 


Conclusions and outputs 


Subsequent discussions were then held between Jisc and the ICO, which concluded that each institution may wish to use a 
different subset of these data sources, and that each one's primary purpose for processing them may well be different (e.g. 
some will hold students' family background data for statistical reporting purposes, others for specific support for widening 
participation purposes etc). Rather than stating which are/are not appropriate to use, Jisc has therefore, in collaboration with 
the ICO, developed a series of questions that institutions can use to guide and record their own assessment of both purpose 
compatibility and the best way to achieve the required level of privacy notification/permission. Each organisation should 
already have a Record of Processing Activities in place as per Article 30 GDPR, which can be used as a starting point, as it 
should identify all the current personal data activities processed by the institution. These questions which Jisc developed 
resulted in what was referred to as the Purpose/Notice matrix tool, which Jisc included as an annex in its Wellbeing Code of 
Practice. 


Guidance on how to provide privacy notices to students whose data is being used for wellbeing analytics purposes is included 
in the Transparency section of the Wellbeing Code Of Practice, whilst the 'Purpose/Notice matrix' tool will also help 
institutions decide if further privacy information needs to be provided to students (in addition to the original privacy notices 
which they should have received). 


Objective 2: Jisc will seek to evidence the necessity of their Wellbeing Code of Practice by 
providing evidence/research on the HE Sector mental health crisis and explaining how their 
analytics will help to avert the crisis. 


The specific tasks identified as part of this objective were: 
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e Jisc to seek to demonstrate/evidence that the interventions resulting from their proposed mental health analytics 
would be strictly necessary. This research should examine the trade-offs of potentially invasive analytics against the 
potential impact in terms of reducing harm to students. 


e Jisc to work with Mental Health experts to confirm that any guidance published is in accordance with good professional 
practice. 


Conclusions and outputs 


Jisc commissioned a separate report (outside of the Sandbox and separate to its Wellbeing Code of Practice) in July 2018, 
published jointly with the Higher Education Policy Institute (HEPI), on the necessity of making better use of data in 
supporting students with wellbeing/mental health issues. Discussions with partners in an Office for Students (OfS) project 
and with AMOSSHE (the Student Services Organisation), have identified a further need to use data for triage and support, as 
well as for the analytics that were the original focus of Jisc's Sandbox application. This separate work outside of the Sandbox 
will assist Jisc in achieving this objective. However, at the time of their exit from the Sandbox, due to Covid 19, this action 
was not complete. 


The Wellbeing Code of Practice therefore proposes good practice both for all these uses of data, and for evaluating which are 
the strictly necessary sources that each institution should seek to use for each purpose. The recommendations of the 
Wellbeing Code of Practice have been validated by a Mental Health (MH) professional on Jisc staff; Jisc are still seeking to 
recruit an external group of MH experts to steer its work in this area, but this will take place outside of the Sandbox process. 


Objective 3: Jisc will ensure that key data protection challenges including, but not limited to, how 
to identify a lawful basis, what should be included in privacy notices when initial data is collected, 
what to do if under 18's data may form part of the analytics and how and when to conduct a Data 
Protection Impact Assessment are addressed by their Wellbeing Code of Practice. 
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This objective has been achieved through the production of Jisc’s Wellbeing Code of Practice. 


The Wellbeing Code of Practice includes but is not limited to information regarding; how the universities can demonstrate 
compliance with the Accountability principle under GDPR, including the requirement to perform a DPIA - this in turn will help 
the Universities identify the most appropriate lawful bases and conditions for processing (under Article 6 of the GDPR and 
also Article 9 of the GDPR and Schedule 1 of the Data Protection Act 2018 where Special Category Data is being processed) 
that might apply, and the circumstances and obligations that each would require; pointers to guidance on privacy notices and 
provision for under 18s (in addition to the privacy notice assessment mentioned under objective 1 above). 


Jisc has worked with the ICO to develop the tools that support the Wellbeing Code of Practice, these cover all the main data 
protection challenges which an educational institution is likely to encounter when approaching the issue of how to undertake 
such analytics activity. To do this the ICO helped Jisc undertake a mapping exercise to ensure that DP principles and 
obligations were mapped against the Wellbeing Code of Practice principles to ensure everything was covered, and that 
accountability was a key initial theme, to ensure data protection by design. 


The ICO supported Jisc in developing a DPIA template with specific risks and mitigation measures likely to arise when using 
student data for health and wellbeing analytics purposes; this has been tested informally with partners in an OfS project. 
This tool gives universities a tailored way of assessing the specific risks around Wellbeing data analytics, providing a bespoke 
starting point rather than a generic approach. 


Although it is ultimately each university’s decision as to which lawful basis (and condition for processing special category data 
if applicable) is needed, the Jisc Wellbeing Code of Practice, specifically the DPIA tool, will help the organisation identify the 
most suitable lawful basis/processing condition, and provide guidance on how this should be documented. The use of the 
Purpose/Notice matrix tool will also help them decide whether the original lawful basis that the data was collected for would 
be compatible with its use in the data analytics, or whether an additional lawful basis (or consent) should be sought from the 
student(s) in question. 
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Lawful basis 


On the 10 September 2019 a lawful bases/condition for processing special category data discussion was held with key ICO 
stakeholders. 


As a result of this discussion, based on the description of the proposed processing of conducting analytics on data held about 
students to highlight those more likely to need wellbeing support, it was agreed that the most appropriate Article 6 lawful 
bases were either Public Task or Legitimate Interests. 


Further detail on the use of public task as a lawful basis can be found on the ICO website. 


This lawful basis was discussed as an option due to the fact that it is generally accepted in the UK and by the ICO that 
universities are likely to fall under the definition of "public authorities", and they carry out processing in the exercise of 
official authority, with a clear basis in law. However, Universities are in a unique position because although they are 
considered to be public authorities carrying out some tasks in that capacity, they are also private institutions who can carry 
out additional tasks in their private capacity, and the precise scope of their powers and functions may vary, depending on 
their specific legal constitution (eg the University Charter). Due to this unique position, each University needs to assess for 
itself the scope and legal source of its tasks as a public authority. If it cannot point to a relevant public task (in this case the 
duty of care to protect students' wellbeing), it can consider legitimate interests. 


Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing 
their tasks as a public authority. 


In order to consider this in sufficient detail, a legitimate interest assessment must be carried out and documented. The 
university will need to therefore: 


e identify a legitimate interest; 
e Show that the processing is necessary to achieve it; and 
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e balance it against the individual’s interests, rights and freedoms. 


The legitimate interests can be in the interests of the university or the interests of third parties. In the Universities’ 
circumstances, these would most likely include the individual interests of students who would be enabled to complete their 
studies and/or receive appropriate treatment, or broader societal benefits such as avoiding the trauma for friends and family 
of those experiencing mental health crises and, through early intervention, reducing the burden on public health services. 


The university should keep a record of the legitimate interests assessment (LIA) to help them demonstrate compliance if 
required, this can form part of the DPIA as noted in the tool. 


Details of the legitimate interests should be documented in the privacy information provided to students. 


Conditions for processing special category data 


As using analytics to identify student wellbeing issues will inevitably involve receiving information directly relating to an 
individual’s mental health, or as a minimum, inferring information about an individual’s mental health, this would include 
processing of Special Category Data, and therefore, an Article 9 condition / Schedule 1 DPA 2018 condition for processing is 
required. 


Although the health and social care (preventative medicine) condition was considered, it was decided that it wasn’t likely to 
apply in this context because the processing is not generally likely to be under the responsibility of an appropriate medical 
professional, and so, following on from discussions between Jisc and the ICO, the most appropriate condition is likely to be: 


Article 9(2)(g) (reasons of substantial public interest) on the basis of the substantial public interest condition for 
safeguarding children and individuals at risk (DPA 2018 Schedule 1 paragraph 18). 


The ICO agrees in principle that students as a group could be ‘individuals at risk’ for these purposes, and that analytics may 
be a necessary and proportionate approach in the substantial public interest. However, Universities will need to be able to 
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demonstrate in detail how the condition applies to their use of analytics. For example: 


e They need to demonstrate that the processing is necessary and proportionate; 

e They need to demonstrate that the students as a group are ‘at risk’ in terms of needing care/support, being at risk of 
physical, mental or emotional harm, and being unable to protect themselves. Whilst ICO is likely to accept this in 
principle, there’s still an obligation on the controller to demonstrate that this is the case and document how they have 
reached that decision; 

e They need to demonstrate why obtaining consent is either not possible or would be unreasonable; and 

e They need to demonstrate a substantial public interest objective. 


Universities will also need an Appropriate Policy Document in place, as required under Part 2 of Schedule 1 of the DPA 2018. 


Wellbeing Code of Practice Tool development 


Once the most suitable lawful basis and condition for processing were agreed, the ICO then supported Jisc in its development 
of the DPIA. In doing so, the ICO ensured that Jisc had considered and documented the relevant data protection risks that 
the Universities would generally need to consider, whilst acknowledging that the precise risks that each University would 
encounter, would need to be considered on a case by case basis. ICO also supported the development of the Purpose 
Compatibility tool, where we highlighted the need for the Universities to identify all the data sources that could be used 
within the analytics and how to assess them to ensure that they could used in a compliant manner. 


Exit statement 


Jisc’s participation in the ICO’s Regulatory Sandbox has given the ICO the opportunity to gain a valuable insight into the 
Education sector and an appreciation for how, theoretically, organisations may seek to use data analytics to support their 
students’ wellbeing whilst complying with data protection legislation. 
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The ICO's work with Jisc has helped highlight the challenges that organisations will likely face in terms of identifying the 
most suitable lawful basis for organisations such as universities, which are deemed to be public authorities, but do not 
always have a clear basis in law that is needed for them to use Public Task as a lawful basis. 


It has also provided insight for Jisc on how to break down the research and operational stages of data analytics as two sets 
of data processing and so assessing the risks and requirements for compliance for each separately. 


It is hoped that Jisc's resulting Wellbeing Code of Practice will, as it is increasingly put into live use, provide universities with 
the sector tailored guidance that will focus their minds, to look at the purpose of the processing, ensuring that only data 
which improves the outcome is used. Also, it is hoped that the Wellbeing Code of Practice will allow them to assess the data 
Sources used to ensure that further processing is not incompatible with the reason it was originally collected and assess the 
data protection risks of conducting this processing. The ICO has recommended to JISC that the guidance in the Wellbeing 
Code of Practice is kept under regular review, taking into account feedback received from Universities who use the Wellbeing 
Code of Practice who are undertaking or considering undertaking, such analytics projects. 
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